对 Active Directory 中的多个 OU 进行身份验证

发布于 2024-09-03 12:27:17 字数 986 浏览 2 评论 0原文

我正在使用具有以下配置的 Active Directory 成员资格提供程序:

   <connectionStrings>
      <add name="MyConnString" connectionString="LDAP://domaincontroller/OU=Product Users,DC=my,DC=domain,DC=com" />
   </connectionStrings>

  <membership defaultProvider="MyProvider">
     <providers>
        <clear />
        <add name="MyProvider" connectionStringName="MyConnString"
             connectionUsername="my.domain.com\service_account"
             connectionPassword="biguglypassword"
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
  </membership>

这工作得很好,只是它要求我的所有用户都位于“产品用户”OU 中,而我实际上希望将所有用户组织到不同的子 OU 中我们的“产品用户”OU。这可能吗?

(请注意,这是此问题的部分转发 但我在这里问的问题从未在那里得到解答。)

I'm using the Active Directory Membership Provider with the following configuration:

   <connectionStrings>
      <add name="MyConnString" connectionString="LDAP://domaincontroller/OU=Product Users,DC=my,DC=domain,DC=com" />
   </connectionStrings>

  <membership defaultProvider="MyProvider">
     <providers>
        <clear />
        <add name="MyProvider" connectionStringName="MyConnString"
             connectionUsername="my.domain.com\service_account"
             connectionPassword="biguglypassword"
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
  </membership>

This works perfectly except it requires ALL of my users to be in the "Product Users" OU when I would actually like to have all of my users organized into various child OUs under our "Product Users" OU. Is this possible?

(Note that this is a partial repost of this question but the question I'm asking here was never answered there.)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

月牙弯弯 2024-09-10 12:27:17

根据我的理解,针对 AD 的身份验证是根据连接范围完成的。
本质上,这意味着连接字符串上下文中的所有内容都会被考虑...

如果您的连接为:

LDAP://domaincontroller/OU=Domain Users,DC=my,DC=domain,DC=com

any user然后将被验证为该域的成员。

从那里您应该添加基于 Windows 令牌的角色提供程序并对其进行类似的配置...

<!-- use windows authentication -->
<authentication mode="Windows" />

<!-- use the Windows role provider -->    
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

<!-- global authorization rules -->
<authorization>
    <allow roles="Domain Admins, Product Users"/>
    <deny users="*" />
</authorization>

这将锁定应用程序,仅供 OU“产品用户”及其所有子级中的域管理员和用户递归使用。

从那里您可以对其他功能进行进一步的“基于上下文”检查,例如...

If(User.IsInRole("Product Admins"))
{
   // do something groovy
}
else
   throw new SecurityException();

这是什么意思...

这意味着您可以根据域用户组成员身份对应用程序逻辑的安全性进行细粒度控制,如果用户是在您的域中,这将对它们进行身份验证,但可能不会授权它们(这取决于您的角色提供程序配置)。

身份验证:识别用户。

授权:授予用户权限/访问权限。

Authentication against AD is done based on connection scope as i undetstand it.
Essentially what that means is that everyhting within the context of the connection string is considered ...

if you have your connection as:

LDAP://domaincontroller/OU=Domain Users,DC=my,DC=domain,DC=com

any user will then be authenticated that is a member of the domain.

from there you should add the Windows token based role provider and configure it something like this ...

<!-- use windows authentication -->
<authentication mode="Windows" />

<!-- use the Windows role provider -->    
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

<!-- global authorization rules -->
<authorization>
    <allow roles="Domain Admins, Product Users"/>
    <deny users="*" />
</authorization>

This locks down the application for use by only domain admins and users within the OU "Product Users" AND all of its children recursively.

from there you can do further "context based" checks for other functions e.g. ...

If(User.IsInRole("Product Admins"))
{
   // do something groovy
}
else
   throw new SecurityException();

What does this mean ...

It means you have fine grained control of the security of your application logic based on domain user group membership, if a user is in your domain this will authenticate them, but it may not authorise them (thats down to your role provider configuration).

Authenticate: Identify the user.

Authorise : Grant permissions / access to the user.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文